Reading PKCS8 in PEM format: Cannot find provider

Question

Trying to read a PKCS8 private key in PEM format with the following:

private static PrivateKey loadPrivateKey()
        throws IOException, GeneralSecurityEx         


        

Answer 1

1.2.840.113549.3.7 is the OID for DES-EDE3-CBC-Pad (in PBES2) in PKCS5 = rfc2898 sec B.2.2. (1.2.840.113549.1.5.13 is the 'outer' OID for all PBES2 variants.)

The Sun-now-Oracle (default) providers do support the DES-EDE3 algorithm (aka TripleDES or TDEA keying option 1) with CBC and PKCS5/7 padding but do not have this OID mapping for it. The BouncyCastle provider does have the mapping, so if you use the BC provider for this operation it should work. This can be done
* for all JVMs by configuring security.provider.<i> in JRE/lib/security/java.security (update: in j9+ JRE/conf/security/java.security) or
* for a JVM by java.lang.security.Provider.addProvider (new BouncyCastleProvider()) or
* for this operation by adding .setProvider() with the name of or object for the BC provider to your JceOpenSSLPKCS8DecryptorProviderBuilder invocation

Note BC for TripleDES seems to require the 'unlimited strength policy' on Oracle Java below j8u151; see cannot open PKCS12 store because of password and InvalidKeyException Illegal key size and many other dupes.